kubernetes-sigs
diff --git a/‎docs/flags.md‎
Lines changed: 10 additions & 11 deletions b/‎docs/flags.md‎
Lines changed: 10 additions & 11 deletions
diff --git a/‎pkg/apis/externaldns/binders.go‎
Lines changed: 80 additions & 0 deletions b/‎pkg/apis/externaldns/binders.go‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎pkg/apis/externaldns/binders_test.go‎
Lines changed: 142 additions & 0 deletions b/‎pkg/apis/externaldns/binders_test.go‎
Lines changed: 142 additions & 0 deletions
@@ -31,9 +31,9 @@
 | `--[no-]exclude-unschedulable` | Exclude nodes that are considered unschedulable (default: true) |
 | `--[no-]expose-internal-ipv6` | When using the node source, expose internal IPv6 addresses (optional, default: false) |
 | `--fqdn-template=""` | A templated string that's used to generate DNS names from sources that don't define a hostname themselves, or to add a hostname suffix when paired with the fake source (optional). Accepts comma separated list for multiple global FQDN. |
-| `--gateway-label-filter=GATEWAY-LABEL-FILTER` | Filter Gateways of Route endpoints via label selector (default: all gateways) |
-| `--gateway-name=GATEWAY-NAME` | Limit Gateways of Route endpoints to a specific name (default: all names) |
-| `--gateway-namespace=GATEWAY-NAMESPACE` | Limit Gateways of Route endpoints to a specific namespace (default: all namespaces) |
+| `--gateway-label-filter=""` | Filter Gateways of Route endpoints via label selector (default: all gateways) |
+| `--gateway-name=""` | Limit Gateways of Route endpoints to a specific name (default: all names) |
+| `--gateway-namespace=""` | Limit Gateways of Route endpoints to a specific namespace (default: all namespaces) |
 | `--[no-]ignore-hostname-annotation` | Ignore hostname annotation when generating DNS names, valid only when --fqdn-template is set (default: false) |
 | `--[no-]ignore-ingress-rules-spec` | Ignore the spec.rules section in Ingress resources (default: false) |
 | `--[no-]ignore-ingress-tls-spec` | Ignore the spec.tls section in Ingress resources (default: false) |
@@ -43,17 +43,15 @@
 | `--managed-record-types=A...` | Record types to manage; specify multiple times to include many; (default: A,AAAA,CNAME) (supported records: A, AAAA, CNAME, NS, SRV, TXT) |
 | `--namespace=""` | Limit resources queried for endpoints to a specific namespace (default: all namespaces) |
 | `--nat64-networks=NAT64-NETWORKS` | Adding an A record for each AAAA record in NAT64-enabled networks; specify multiple times for multiple possible nets (optional) |
-| `--openshift-router-name=OPENSHIFT-ROUTER-NAME` | if source is openshift-route then you can pass the ingress controller name. Based on this name external-dns will select the respective router from the route status and map that routerCanonicalHostname to the route host while creating a CNAME record. |
+| `--openshift-router-name=""` | if source is openshift-route then you can pass the ingress controller name. Based on this name external-dns will select the respective router from the route status and map that routerCanonicalHostname to the route host while creating a CNAME record. |
 | `--pod-source-domain=""` | Domain to use for pods records (optional) |
 | `--[no-]publish-host-ip` | Allow external-dns to publish host-ip for headless services (optional) |
 | `--[no-]publish-internal-services` | Allow external-dns to publish DNS records for ClusterIP services (optional) |
 | `--service-type-filter=SERVICE-TYPE-FILTER` | The service types to filter by. Specify multiple times for multiple filters to be applied. (optional, default: all, expected: ClusterIP, NodePort, LoadBalancer or ExternalName) |
-| `--source=source` | The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, pod, fake, connector, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, istio-gateway, istio-virtualservice, cloudfoundry, contour-httpproxy, gloo-proxy, crd, empty, skipper-routegroup, openshift-route, ambassador-host, kong-tcpingress, f5-virtualserver, f5-transportserver, traefik-proxy) |
 | `--target-net-filter=TARGET-NET-FILTER` | Limit possible targets by a net filter; specify multiple times for multiple possible nets (optional) |
 | `--[no-]traefik-enable-legacy` | Enable legacy listeners on Resources under the traefik.containo.us API Group |
 | `--[no-]traefik-disable-new` | Disable listeners on Resources under the traefik.io API Group |
 | `--events-emit=EVENTS-EMIT` | Events that should be emitted. Specify multiple times for multiple events support (optional, default: none, expected: RecordReady, RecordDeleted, RecordError) |
-| `--provider=provider` | The DNS provider where the DNS records will be created (required, options: akamai, alibabacloud, aws, aws-sd, azure, azure-dns, azure-private-dns, civo, cloudflare, coredns, digitalocean, dnsimple, exoscale, gandi, godaddy, google, inmemory, linode, ns1, oci, ovh, pdns, pihole, plural, rfc2136, scaleway, skydns, transip, webhook) |
 | `--provider-cache-time=0s` | The time to cache the DNS provider record list requests. |
 | `--domain-filter=` | Limit possible target zones by a domain suffix; specify multiple times for multiple domains (optional) |
 | `--exclude-domains=` | Exclude subdomains (optional) |
@@ -95,7 +93,7 @@
 | `--cloudflare-custom-hostnames-certificate-authority=none` | When using the Cloudflare provider with the Custom Hostnames, specify which Certificate Authority will be used. A value of none indicates no Certificate Authority will be sent to the Cloudflare API (default: none, options: google, ssl_com, lets_encrypt, none) |
 | `--cloudflare-dns-records-per-page=100` | When using the Cloudflare provider, specify how many DNS records listed per page, max possible 5,000 (default: 100) |
 | `--[no-]cloudflare-regional-services` | When using the Cloudflare provider, specify if Regional Services feature will be used (default: disabled) |
-| `--cloudflare-region-key=CLOUDFLARE-REGION-KEY` | When using the Cloudflare provider, specify the default region for Regional Services. Any value other than an empty string will enable the Regional Services feature (optional) |
+| `--cloudflare-region-key=""` | When using the Cloudflare provider, specify the default region for Regional Services. Any value other than an empty string will enable the Regional Services feature (optional) |
 | `--cloudflare-record-comment=""` | When using the Cloudflare provider, specify the comment for the DNS records (default: '') |
 | `--coredns-prefix="/skydns/"` | When using the CoreDNS provider, specify the prefix name |
 | `--akamai-serviceconsumerdomain=""` | When using the Akamai provider, specify the base URL (required when --provider=akamai and edgerc-path not specified) |
@@ -105,7 +103,7 @@
 | `--akamai-edgerc-path=""` | When using the Akamai provider, specify the .edgerc file path. Path must be reachable form invocation environment. (required when --provider=akamai and *-token, secret serviceconsumerdomain not specified) |
 | `--akamai-edgerc-section=""` | When using the Akamai provider, specify the .edgerc file path (Optional when edgerc-path is specified) |
 | `--oci-config-file="/etc/kubernetes/oci.yaml"` | When using the OCI provider, specify the OCI configuration file (required when --provider=oci |
-| `--oci-compartment-ocid=OCI-COMPARTMENT-OCID` | When using the OCI provider, specify the OCID of the OCI compartment containing all managed zones and records.  Required when using OCI IAM instance principal authentication. |
+| `--oci-compartment-ocid=""` | When using the OCI provider, specify the OCID of the OCI compartment containing all managed zones and records.  Required when using OCI IAM instance principal authentication. |
 | `--oci-zone-scope=GLOBAL` | When using OCI provider, filter for zones with this scope (optional, options: GLOBAL, PRIVATE). Defaults to GLOBAL, setting to empty value will target both. |
 | `--[no-]oci-auth-instance-principal` | When using the OCI provider, specify whether OCI IAM instance principal authentication should be used (instead of key-based auth via the OCI config file). |
 | `--oci-zones-cache-duration=0s` | When using the OCI provider, set the zones list cache TTL (0s to disable). |
@@ -119,11 +117,11 @@
 | `--[no-]pdns-skip-tls-verify` | When using the PowerDNS/PDNS provider, disable verification of any TLS certificates (optional when --provider=pdns) (default: false) |
 | `--ns1-endpoint=""` | When using the NS1 provider, specify the URL of the API endpoint to target (default: https://api.nsone.net/v1/) |
 | `--[no-]ns1-ignoressl` | When using the NS1 provider, specify whether to verify the SSL certificate (default: false) |
-| `--ns1-min-ttl=NS1-MIN-TTL` | Minimal TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is lower than this. |
+| `--ns1-min-ttl=0` | Minimal TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is lower than this. |
 | `--digitalocean-api-page-size=50` | Configure the page size used when querying the DigitalOcean API. |
 | `--godaddy-api-key=""` | When using the GoDaddy provider, specify the API Key (required when --provider=godaddy) |
 | `--godaddy-api-secret=""` | When using the GoDaddy provider, specify the API secret (required when --provider=godaddy) |
-| `--godaddy-api-ttl=GODADDY-API-TTL` | TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is not provided. |
+| `--godaddy-api-ttl=0` | TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is not provided. |
 | `--[no-]godaddy-api-ote` | When using the GoDaddy provider, use OTE api (optional, default: false, when --provider=godaddy) |
 | `--tls-ca=""` | When using TLS communication, the path to the certificate authority to verify server communications (optionally specify --tls-client-cert for two-way TLS) |
 | `--tls-client-cert=""` | When using TLS communication, the path to the certificate to present as a client (not required for TLS) |
@@ -174,11 +172,12 @@
 | `--[no-]once` | When enabled, exits the synchronization loop after the first iteration (default: disabled) |
 | `--[no-]dry-run` | When enabled, prints DNS record changes rather than actually performing them (default: disabled) |
 | `--[no-]events` | When enabled, in addition to running every interval, the reconciliation loop will get triggered when supported sources change (default: disabled) |
-| `--min-ttl=MIN-TTL` | Configure global TTL for records in duration format. This value is used when the TTL for a source is not set or set to 0. (optional; examples: 1m12s, 72s, 72) |
 | `--log-format=text` | The format in which log messages are printed (default: text, options: text, json) |
 | `--metrics-address=":7979"` | Specify where to serve the metrics and health check endpoint (default: :7979) |
 | `--log-level=info` | Set the level of logging. (default: info, options: panic, debug, info, warning, error, fatal) |
 | `--webhook-provider-url="http://localhost:8888"` | The URL of the remote endpoint to call for the webhook provider (default: http://localhost:8888) |
 | `--webhook-provider-read-timeout=5s` | The read timeout for the webhook provider in duration format (default: 5s) |
 | `--webhook-provider-write-timeout=10s` | The write timeout for the webhook provider in duration format (default: 10s) |
 | `--[no-]webhook-server` | When enabled, runs as a webhook server instead of a controller. (default: false). |
+| `--provider=provider` | The DNS provider where the DNS records will be created (required, options: akamai, alibabacloud, aws, aws-sd, azure, azure-dns, azure-private-dns, civo, cloudflare, coredns, digitalocean, dnsimple, exoscale, gandi, godaddy, google, inmemory, linode, ns1, oci, ovh, pdns, pihole, plural, rfc2136, scaleway, skydns, transip, webhook) |
+| `--source=source` | The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, pod, fake, connector, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, istio-gateway, istio-virtualservice, cloudfoundry, contour-httpproxy, gloo-proxy, crd, empty, skipper-routegroup, openshift-route, ambassador-host, kong-tcpingress, f5-virtualserver, f5-transportserver, traefik-proxy) |
@@ -17,6 +17,8 @@ limitations under the License.
 package externaldns
 
 import (
+	"fmt"
+	"regexp"
 	"strconv"
 	"time"
 
@@ -33,6 +35,13 @@ type FlagBinder interface {
 	Int64Var(name, help string, def int64, target *int64)
 	StringsVar(name, help string, def []string, target *[]string)
 	EnumVar(name, help, def string, target *string, allowed ...string)
+	// StringsEnumVar binds a repeatable string flag with an allowed set.
+	// Implementations may not enforce allowed values.
+	StringsEnumVar(name, help string, def []string, target *[]string, allowed ...string)
+	// StringMapVar binds key=value repeatable flags into a map.
+	StringMapVar(name, help string, target *map[string]string)
+	// RegexpVar binds a regular expression value.
+	RegexpVar(name, help string, def *regexp.Regexp, target **regexp.Regexp)
 }
 
 // KingpinBinder implements FlagBinder using github.com/alecthomas/kingpin/v2.
@@ -81,6 +90,60 @@ func (b *KingpinBinder) EnumVar(name, help, def string, target *string, allowed
 	b.App.Flag(name, help).Default(def).EnumVar(target, allowed...)
 }
 
+func (b *KingpinBinder) StringsEnumVar(name, help string, def []string, target *[]string, allowed ...string) {
+	if len(def) > 0 {
+		b.App.Flag(name, help).Default(def...).EnumsVar(target, allowed...)
+		return
+	}
+	b.App.Flag(name, help).EnumsVar(target, allowed...)
+}
+
+func (b *KingpinBinder) StringMapVar(name, help string, target *map[string]string) {
+	b.App.Flag(name, help).StringMapVar(target)
+}
+
+func (b *KingpinBinder) RegexpVar(name, help string, def *regexp.Regexp, target **regexp.Regexp) {
+	defStr := ""
+	if def != nil {
+		defStr = def.String()
+	}
+	b.App.Flag(name, help).Default(defStr).RegexpVar(target)
+}
+
+type regexpValue struct {
+	target **regexp.Regexp
+}
+
+func (rv *regexpValue) String() string {
+	if rv == nil || rv.target == nil || *rv.target == nil {
+		return ""
+	}
+	return (*rv.target).String()
+}
+
+func (rv *regexpValue) Set(s string) error {
+	re, err := regexp.Compile(s)
+	if err != nil {
+		return err
+	}
+	*rv.target = re
+	return nil
+}
+
+func (rv *regexpValue) Type() string { return "regexp" }
+
+type regexpSetter interface {
+	Set(string) error
+}
+
+func setRegexpDefault(rs regexpSetter, def *regexp.Regexp, name string) {
+	if def != nil {
+		if err := rs.Set(def.String()); err != nil {
+			panic(fmt.Errorf("invalid default regexp for flag %s: %w", name, err))
+		}
+	}
+}
+
 // CobraBinder implements FlagBinder using github.com/spf13/cobra.
 type CobraBinder struct {
 	Cmd *cobra.Command
@@ -119,3 +182,20 @@ func (b *CobraBinder) StringsVar(name, help string, def []string, target *[]stri
 func (b *CobraBinder) EnumVar(name, help, def string, target *string, allowed ...string) {
 	b.Cmd.Flags().StringVar(target, name, def, help)
 }
+
+func (b *CobraBinder) StringsEnumVar(name, help string, def []string, target *[]string, allowed ...string) {
+	// pflag does not enforce enums.
+	b.Cmd.Flags().StringArrayVar(target, name, def, help)
+}
+
+func (b *CobraBinder) StringMapVar(name, help string, target *map[string]string) {
+	// Use StringToStringVar for key=value pairs.
+	b.Cmd.Flags().StringToStringVar(target, name, map[string]string{}, help)
+}
+
+func (b *CobraBinder) RegexpVar(name, help string, def *regexp.Regexp, target **regexp.Regexp) {
+	rv := &regexpValue{target: target}
+	// set default value to mirror kingpin's Default(def.String()) behavior
+	setRegexpDefault(rv, def, name)
+	b.Cmd.Flags().Var(rv, name, help)
+}
@@ -17,6 +17,8 @@ limitations under the License.
 package externaldns
 
 import (
+	"errors"
+	"regexp"
 	"testing"
 	"time"
 
@@ -26,6 +28,10 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+type badSetter struct{}
+
+func (b *badSetter) Set(s string) error { return errors.New("bad default") }
+
 func TestKingpinBinderParsesAllTypes(t *testing.T) {
 	app := kingpin.New("test", "")
 	b := NewKingpinBinder(app)
@@ -137,3 +143,139 @@ func TestCobraBinderEnumNotValidatedHere(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, "c", e)
 }
+
+// Cobra requires --<flag>=false
+func TestCobraBinderNoBooleanNegationFormUnsupported(t *testing.T) {
+	cmd := &cobra.Command{Use: "test"}
+	b := NewCobraBinder(cmd)
+
+	var v bool
+	b.BoolVar("v", "bool flag", true, &v)
+
+	cmd.SetArgs([]string{"--no-v"})
+	err := cmd.Execute()
+	require.Error(t, err)
+}
+
+func TestCobraRegexValueSetStringType(t *testing.T) {
+	var r *regexp.Regexp
+	rv := &regexpValue{target: &r}
+
+	require.Equal(t, "regexp", rv.Type())
+	// empty when target nil
+	assert.Empty(t, rv.String())
+
+	// invalid pattern returns error
+	err := rv.Set("(")
+	require.Error(t, err)
+
+	// valid pattern sets target
+	err = rv.Set("^foo$")
+	require.NoError(t, err)
+	require.NotNil(t, r)
+	assert.Equal(t, "^foo$", r.String())
+	assert.Equal(t, "^foo$", rv.String())
+}
+
+func TestCobraRegexpVarDefaultAndInvalidValue(t *testing.T) {
+	cmd := &cobra.Command{Use: "test"}
+	b := NewCobraBinder(cmd)
+
+	var r *regexp.Regexp
+	// Provide a valid default: should set target immediately
+	b.RegexpVar("re", "help", regexp.MustCompile("^x+$"), &r)
+	require.NotNil(t, r)
+	assert.Equal(t, "^x+$", r.String())
+
+	// Executing with an invalid value should produce an error
+	cmd2 := &cobra.Command{Use: "test2"}
+	b2 := NewCobraBinder(cmd2)
+	var r2 *regexp.Regexp
+	b2.RegexpVar("re", "help", nil, &r2)
+	cmd2.SetArgs([]string{"--re=invalid("})
+	err := cmd2.Execute()
+	require.Error(t, err)
+}
+
+func TestCobraStringMapVarDefaultEmpty(t *testing.T) {
+	cmd := &cobra.Command{Use: "test"}
+	b := NewCobraBinder(cmd)
+
+	var m map[string]string
+	b.StringMapVar("m", "help", &m)
+
+	cmd.SetArgs([]string{})
+	err := cmd.Execute()
+	require.NoError(t, err)
+	require.NotNil(t, m)
+	assert.Empty(t, m)
+}
+
+func TestKingpinRegexpVarDefaultAndParse(t *testing.T) {
+	app := kingpin.New("test", "")
+	b := NewKingpinBinder(app)
+
+	var r *regexp.Regexp
+	b.RegexpVar("re", "help", regexp.MustCompile("^a+$"), &r)
+
+	_, err := app.Parse([]string{})
+	require.NoError(t, err)
+	require.NotNil(t, r)
+	assert.Equal(t, "^a+$", r.String())
+
+	// user-provided value should override default
+	var r2 *regexp.Regexp
+	app2 := kingpin.New("test2", "")
+	b2 := NewKingpinBinder(app2)
+	b2.RegexpVar("re", "help", nil, &r2)
+	_, err = app2.Parse([]string{"--re=^b+$"})
+	require.NoError(t, err)
+	require.NotNil(t, r2)
+	assert.Equal(t, "^b+$", r2.String())
+}
+
+func TestKingpinStringsEnumVarWithAndWithoutDefault(t *testing.T) {
+	app := kingpin.New("test", "")
+	b := NewKingpinBinder(app)
+
+	var vals []string
+	b.StringsEnumVar("se", "help", []string{"a", "b"}, &vals, "a", "b", "c")
+	_, err := app.Parse([]string{})
+	require.NoError(t, err)
+	assert.ElementsMatch(t, []string{"a", "b"}, vals)
+
+	// without default
+	app2 := kingpin.New("test2", "")
+	b2 := NewKingpinBinder(app2)
+	var vals2 []string
+	b2.StringsEnumVar("se", "help", nil, &vals2, "a", "b", "c")
+	_, err = app2.Parse([]string{"--se=a", "--se=c"})
+	require.NoError(t, err)
+	assert.ElementsMatch(t, []string{"a", "c"}, vals2)
+}
+
+func TestCobraStringsEnumVarWithAndWithoutDefault(t *testing.T) {
+	cmd := &cobra.Command{Use: "test"}
+	b := NewCobraBinder(cmd)
+
+	var vals []string
+	b.StringsEnumVar("se", "help", []string{"x", "y"}, &vals, "x", "y")
+	cmd.SetArgs([]string{})
+	require.NoError(t, cmd.Execute())
+	assert.ElementsMatch(t, []string{"x", "y"}, vals)
+
+	// without default
+	cmd2 := &cobra.Command{Use: "test2"}
+	b2 := NewCobraBinder(cmd2)
+	var vals2 []string
+	b2.StringsEnumVar("se", "help", nil, &vals2, "x", "y")
+	cmd2.SetArgs([]string{"--se=a", "--se=b"})
+	require.NoError(t, cmd2.Execute())
+	assert.ElementsMatch(t, []string{"a", "b"}, vals2)
+}
+
+func TestSetRegexDefaultPanicsOnInvalidDefault(t *testing.T) {
+	bs := &badSetter{}
+	def := regexp.MustCompile("^")
+	require.Panics(t, func() { setRegexpDefault(bs, def, "flag") })
+}